Wednesday, 18 June 2014

The reform of Europol: modern EU agency, or intergovernmental dinosaur?

Introduction

The EU’s police cooperation agency, Europol, has played a
major role in the development of Justice and Home Affairs cooperation in the EU
from an early stage. Europol was originally set up informally, then on the basis
of a 1995 Convention, subsequently replaced by a Council Decision in 2009. While
its powers have gradually been expanded, so has the controversy about its
accountability and the adequacy of its data protection rules. Since it is a creature of the former 'third pillar' (the previous special rules on policing and criminal law) it is something of a 'dinosaur' in institutional terms, being an essentially intergovernmental body.

With the entry into force of the Treaty of Lisbon, the
European Parliament (EP) now has joint powers with the Council as regards the adoption
of a Regulation governing Europol, and the Treaty now refers expressly to the
importance of ensuring accountability to both national parliaments and the EP. Furthermore,
the EU institutions agreed in 2012 a ‘Common Understanding’ on standard rules
which would apply to the governance of EU agencies. To expand Europol’s powers
further, while addressing the issues of governance, accountability and data
protection, the Commission proposed a new Regulation reconstituting Europol in
2013.

At the most recent Justice and Home Affairs Council,
ministers agreed the Council’s position on the Commission’s proposal. Since the European Parliament also
recently agreed its own position, this clears the way for negotiations
to take place between the two institutions for a final deal, once the EP is
fully operational again following the recent elections. This is therefore a
good time to examine the progress of discussions on the proposed Regulation so
far.

It should be noted that Ireland has opted in to this
proposed Regulation, while the UK and Denmark have opted out. The UK’s
objections are due to the proposals to place national law enforcement bodies to
comply with Europol’s requests to start investigations, and to supply
information to Europol without a national security exception. However, as
discussed further below, the Council’s and EP’s positions on the proposal
address these issues, raising the possibility that the UK will opt in after
adoption of the Regulation.

Europol’s powers

First and foremost, the Commission failed in its attempt to
merge together Europol with the European Police College. The Commission thought it was a good idea to merge the
two, given the overlap of their subject-matter. There has never been a merger of
EU agencies before, for essentially political reasons: Member States fight
bitter battles to host EU agencies, and so are reluctant to let one go once
they have one. However, unusually, in this case the original host of the
European Police College, the UK, was rather keen to kick the agency out, as it was planning to sell the space where
the College was located and declared itself unable to find a new one.

So there was a golden opportunity to merge these two
agencies, but neither the European Parliament nor the Council wanted to take
it. In light of the Commission’s inflexible insistence on its proposal, an
unprecedented group of 25 Member States tabled an initiative to amend the previous Decision establishing the European Police College, which was
subsequently adopted. This new Regulation simply moves the College to
Budapest. The Council has requested the Commission to make a separate proposal
making further changes to the Police College, but it remains to be seen whether
the Commission will do so, or whether it will continue to sulk about the
failure of its original suggestion for a merger.

The Commission’s second main objective related to Europol
itself. It cannot carry out ‘coercive powers’, according to the Treaties, and
all three institutions agree that a clause to this effect should appear in the
new Regulation. So it is destined to
remain an agency which gathers and analyses information, and it is only able to
do the latter to the extent that it does the former. As dinosaurs go, Europol is clearly a herbivore, not a carnivore.

But the Commission nonetheless hoped to give Europol some sharper teeth. So it proposed
two key amendments: a clarification of Member States’ obligation to give
information to Europol, and an enlargement of Europol’s access to national
databases. In parallel to this, the Commission’s proposal removed the
detailed rules on the structure of data processing that existed in the Europol
Decision (and before that, in the Europol Convention). In place of these very specific rules on analysis files and the Europol Information System, et al, there would
instead be general provisions on data processing, which would be centred upon
an obligation to ensure ‘privacy by design’.

The Council weakened the proposed rules which required
national authorities in principle to act upon Europol’s request to initiate
investigations. However, this issue is mainly symbolic, since there was no
absolute obligation to act, under the Commission’s proposals (authorities could
‘decide not to comply’ with a request, on any grounds).

Furthermore, the Council did not accept the Commission’s
proposal to allow Europol to contact national authorities directly in all
cases, without going through the ‘Europol national units’ (the official points
of contact between Europol and national forces). Instead, it simply provided
(as at present) for the possibility for Member States to allow this. It also
reinserted the current provisions which allow national authorities to refuse
requests for information from Europol on grounds of national security, current
investigations or intelligence activities.

However, the Council agreed with the proposal to give
Europol a list of other new powers, and added new provisions giving Europol the
power to assist with Schengen evaluations, as well as the evaluation of
candidate Member States. It also specified that Member States have to allow
their Financial Intelligence Units (special units dealing with money
laundering) to collaborate with Europol. Finally, it wants to extend the fields
of crime which Europol deals with to include war crimes and genocide as well as
insider trading.

For its part, the EP, like the Council, voted against
strengthening the provisions relating to Europol requests to Member States,
although it did agree to Europol’s direct contact with national authorities
(under certain conditions). It also agreed to retain the provisions allowing
authorities to refuse requests from information from Europol.

Furthermore, the EP wants to reinsert the existing
conditions relating to Europol’s participation in joint investigation teams,
whereas the Commission (and the Council) want to provide only for general rules
in this respect.

Data processing and
data protection

Europol’s powers are inevitably closely linked with the data
processing and data protection rules that apply to its processing of personal
data. On this point, the Commission’s main objective with its proposal was to
enhance the data protection framework of Europol by ensuring that its data
protection supervisor was fully independent and had effective powers.

To this end, the Commission suggested more detailed rules on
data processing and more data protection rights for individuals. The rules on
external transfers of data outside the EU, which currently allow Europol itself
to sign treaties with the Council’s approval, would be replaced by the general
external relations rules of EU law (treaty negotiations carried out by the
Commission, treaties concluded by the Council after consent by the EP). In
general, the rules on transferring data to third States would be modelled on
the rules in the EU data protection directive (see the recent post on this blog), allowing for transfers in
principle only where a third State’s data protection has been judged
‘adequate’, with limited derogations from this rule. The supervisory powers
currently held by a Joint Supervisory Board would be transferred to existing
European Data Protection Supervisor (EDPS), which has data protection
supervisory power as regards most EU agencies.

The Council would amend the proposal to add a general power
to process personal data in order to facilitate information exchange between
Europol, other EU bodies, third countries, Member States and international
organisations. Also, the Council would impose an absolute obligation for Europol
to inform Member States about information concerning them. The Council would
also allow for broader derogations from the normal rules as regards the
transfers of data to third countries, adding grounds relating to legal claims
and the combating of criminal offences.

As for data protection rules, the Council would strengthen
the proposal by banning the selection of a group persons purely on the basis of
a ‘sensitive’ ground, such as racial origin. It would also add a requirement
for Europol to notify its data protection officer and the EDPS in the event of
a security breach. Europol would also have to inform data subjects of the time
period for the processing of their data, and the right to make requests to
Europol for erasure, et al of that data.

However, the Council would drop the requirement for Europol
to report on its processing of sensitive data every six months to the EDPS.
Also, Europol would have to comply with any Member State’s objection to the
release of data which it provided to Europol. A data subject’s request for
correction et al of personal data would have to be funnelled through a national
authority, rather than addressed directly to Europol, and the Council would
include very broad grounds for Europol to refuse such requests.

The Council is also keen to amend the institutional
‘architecture’ regarding data protection in the Commission’s proposal. It would
cut back a little on the proposed powers of the EDPS, and impose the condition
that it considers law enforcement concerns when it communicates with data
subjects. National data protection bodies would have the power to comment on
the draft annual report of the EDPS before its conclusion. More generally, the
EDPS would have further obligations to consult national data protection bodies,
and the Council wants to establish a Cooperation Board that would have a large
number of advisory powers.

For its part, the EP would subject all access to personal
data by Europol to general rules of necessity and proportionality and the
adoption of specific rules setting out data protection principles. The categories of personal data which could
be processed would be more tightly restricted, and the EP does not support
anything similar to a general power to process personal data to facilitate
relations with the Member States, et al. There would be a requirement to carry
out an impact assessment before data processing operations.

The EP would ban access to Europol data by OLAF, the EU’s
anti-fraud body, and also would impose a ban on processing of data obtained by
means which breach human rights. Pre-existing treaties with third states
relating to the processing of personal data would have to be renegotiated
within five years. The EDPS would have to be consulted before treaties with
third States are negotiated.

While the EP broadly agrees with the Council regarding
the derogations from the external transfer rules, it wants to require Europol’s
Executive Director to consider the record of the third country concerned before
authorising the use of these derogations. The EP also agrees with the Council
on a clause regarding notification of a data breach to the EDPS, although its
version is more detailed, and the EP also wants a clause on notification of
such breaches to the data subject. Finally, the EP wants more detail in the
annual report by the EDPS, and proposes more cooperation between the EDPS and
national authorities, although it does not support the Council’s idea of
creating a Board.

Governance

First of all, as regards Europol’s management board, in
accordance with the Common Understanding on EU Agencies, the Commission
proposed that it have two representatives, alongside one from each Member
State. However, both the EP and Council want to cut this back to one
representative (as at present). Moreover, the EP (based on the Common
Understanding, which refers to full EP members on agencies’ management boards)
proposes to let an observer from its Joint Parliamentary Scrutiny Group (see
below) attend meetings of the Management Board. Both the EP and the Council
want to drop the proposed clause (based on the Common Understanding) which
would require Member States to limit turnover in the Board.

The EP supports the
Commission’s proposal to ‘aim to achieve a balanced representation between men
and women’ on the board, but the Council does not.

Next, the Council and
Commission agree that (in accordance with the Common Understanding) members of
the Management Board should have standard terms of four years. However, the EP
wants their term of office to be set by each Member State.

Furthermore, the Council wants the chair of the Management
Board to come (as at present) from one of the three Member States which is
jointly holding the Council Presidency, whereas the Commission and the EP
reject this. Finally, the EP wants all members of the Management Board to sign
a declaration of interests, for such declarations to be published, and for the
Commission to have the power to object to draft Management Board decisions on
fundamental legal or policy grounds. These proposals are based on the Common Understanding.

Secondly, the Council wants to retain its current powers to
appoint Europol’s Executive Director and the Deputy Executive Directors,
instead of shifting this power to the Management Board as the Commission
proposes, in accordance with the Common Understanding on agencies (the EP
agrees with the Commission). But the Council does not want to share this power
with the EP.

Thirdly, the Commission proposed the creation of a new
Executive Board as part of the management structure. The EP rejects this idea
completely, whereas the Council can accept it on condition that the Management
Board agrees unanimously to create it, leaving it to the Board (rather than the
Regulation) to set out the details.

Finally, the Council wants to curtail the scope of the
future reviews of the Regulation, while the EP wants to enhance them to include
the provisions on parliamentary accountability. The Commission and EP support
the possibility of a future amendment or repeal of the Regulation, while the
Council wants to drop this possibility. It should be noted that the Common Understanding
refers to the possibility of disbanding an agency.

Parliamentary accountability

Currently, the EP can receive reports on Europol, plays a
role as regards the budget, is consulted upon implementing measures and can hold
hearings with the Director. Due to concerns about ensuring more effective
parliamentary accountability for Europol’s actions, the Commission proposed a
number of reforms, in particular sending the EP and national parliaments more
reports, and involving the EP more in the process of choosing the (Executive)
Director.

In response, the Council insists upon separate references to
the EP and national parliaments. It would also delete many of the proposed
powers for the EP, in particular dropping the proposed obligation for the
Executive Director to report to the EP and the obligation for the candidate to
be Executive Director to make a statement before the EP.

Conversely, the EP would enhance the parliamentary role in
the Regulation, in particular by creating a Joint Parliamentary Scrutiny Group,
which would comprise members of both the EP and national parliaments. In its
view, references to the EP in the proposal should be replaced by references to
this group. There would also be greater powers for the Joint Parliamentary
Scrutiny Group as regards the process of appointing the Executive
Director.

Comments

The EP and the Council agree broadly on the modest extension
of Europol powers, including in particular the removal of provisions relating
to the European Police College and retaining the current limits on Europol’s
powers as regards national authorities, so these will likely be the least
controversial issues to negotiate. It is striking that these institutions did
not take the opportunity either to reduce the agencies’ costs by means of a
merger, or at least to increase their efficiency by means of co-location.

As regards data protection, there are significant
differences between the EP and the Council as regards: the broadening or
tightening of the grounds for data processing; the details as regards
notification of security breaches; the rights of data subjects; the
architecture of data protection authorities; and the grounds to refuse a data
subject’s requests. Both support some further powers for national authorities.

Two specific points should be highlighted here. First of all,
the Council’s suggestion of a general power for Europol to process personal
data in order to facilitate information exchange has to be rejected on legal
grounds, since this is far too broad and imprecise a legal basis on which to
justify the exchange of personal data. The EP has the better approach: if (as
all the institutions agree) EU legislation should no longer regulate the
details of Europol’s databases and analysis files, there need to be strong and
specific data protection principles in the Regulation instead.

Secondly, while both the EP and the Council agree on a
general derogation from the external transfer rules for the combating of
criminal offences, this exception is likely to become the rule, since combating
criminal offences is Europol’s whole raison
d’etre.

As for governance and accountability, the main issues are
the extent of parliamentary powers, and also the nature of those powers (ie,
whether there should be separate or joint roles for the EP and national
parliaments). It is striking that the Council is keen to have a joint data
protection supervisory body, but not a joint parliamentary body, whereas the EP’s
preferences are the other way around. Remarkably,
the Council’s removal of the (Executive) Director’s obligation to report to the
EP would actually mean less
parliamentary accountability on this point than under the current Decision.

Also, the EP and the Council differ as regards: whether
there should be an executive board; the role of Council as compared to the Management
Board in appointing the executive director; retaining a special status for the
Council Presidency chairing the Management Board; rules on conflict of
interest; other aspects of the composition and functioning of the Management
Board (term, turnover, gender equality, Commission control, conflict of
interests); and the review and possible disbanding of Europol.

On these issues, the Council’s suggestion to go backwards,
by eliminating any role for the EP questioning the Executive Director, is simply
antedivulian. It flies in the face of the specific reference to parliamentary
accountability in the Treaties, given the obvious importance that parliamentary
questioning of an agency director can play in ensuring that body’s accountability.

The Council’s attempts to defend the status quo can also be
seen in its approach to the appointment of the (Executive) Director and the composition
and chairing of the Management Board. The more modern approach of the EP as
regards gender equality, declarations of interests, scrutiny by the Commission,
and review or disbanding of Europol, should be preferred. Furthermore, accountability
surely demands a single parliamentary observer on the Management Board, given
that 28 Member States will each have a voting member to advocate their
interests.

It is striking that two years after agreeing standard rules
on EU agencies, in a bid to forestall future conflicts and difficult
negotiations, all three agencies have taken a ‘pick and mix’ approach to the
Common Understanding, each selecting certain points that they like from these
common principles and rejecting those which they dislike.

Overall, it is clear that the Council’s preference is for
Europol to remain an essentially intergovernmental body, with merely another
incremental increase in its powers, a modest enhancement of the data protection
rules, and no significant change in either its governance or parliamentary
accountability. The EP agrees that the increase in its powers should be
limited, but is pushing instead for a modernisation of the agency in light of the
Treaty of Lisbon and the Common Understanding, as regards stricter data
protection rules, reforming its governance, and greater accountability. Time
will tell whether the Council will succeed in preserving this intergovernmental
dinosaur.